Bug#1053098: unadf 0.7.11a-5 calls system() with unsanitized input
Hi,
On Wed, Sep 27, 2023 at 01:19:31PM +0300, Jani Nikula wrote:
> Package: unadf
> Version: 0.7.11a-5
> Severity: grave
> Tags: security
> Justification: user security hole
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
>
> Dear Maintainer,
>
> See upstream ADFLib commit 8e973d7b8945 ("Fix unsafe extraction by using
> mkdir() instead of shell command") [1].
>
> 'unadf' passes the directory names within an ADF to system()
> unsanitized. In the most benign failure case, directory names beginning
> with '-' are interpreted as options to mkdir, and unpacking the ADF
> fails.
>
> Please update unadf to fixed upstream version.
>
> [1] https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd
Those are CVE-2016-1243 and CVE-2016-1244 and it looks that the
unstable upload back then, which was aiming to fix the issue,
0.7.11a-4, did not include the patch and so the issue remained unfixed
for all subsequent releases.
I'm merging this back to 838248 and updating the metadata.
Regards,
Salvatore
Reply to: